Logical Methods in Computer Science 
Vol. 7 (2:12) 2011, pp. 1-21 
www.lmcs-online.org 



Submitted Jan. 14, 2010 
Published Nov. 16, 2011 



MODEL CHECKING CTL IS ALMOST ALWAYS INHERENTLY 

SEQUENTIAL * 

OLAF BEYERSDORFF", ARNE MEIER^ MARTIN MUNDHENK^ THOMAS SCHNEIDER'^, 
MICHAEL THOMAS ^ AND HERIBERT VOLLMER-^ 

^ Theoretical Computer Science, Leibniz University of Hannover, Germany 
e-mail address: {beyersdorff, meier, thomas, vollmer}@thi.uni-hannover.de 

Computer Science, University of Jena, Germany 
e-mail address: martin.mundhenk@uni-jena.de 

Computer Science, Saarland University, Germany 
e-mail address: schneider@ps.uni-saarland.de 



Revision Note. This is a revised and corrected version of the article originally published 
on May 17, 2011. 



Abstract. The model checking problem for CTL is known to be P-complete (Clarke, 
Emerson, and Sistla (1986), see Schnoebelen (2002)). We consider fragments of CTL 
obtained by restricting the use of temporal modalities or the use of negations — restrictions 
already studied for LTL by Sistla and Clarke (1985) and Markey (2004). For all these 
fragments, except for the trivial case without any temporal operator, we systematically 
prove model checking to be either inherently sequential (P-complete) or very efficiently 
parallelizable (LOGCFL-complete). For most fragments, however, model checking for 
CTL is already P-complete. Hence our results indicate that, in cases where the combined 
complexity is of relevance, approaching CTL model checking by parallelism cannot be 
expected to result in any significant speedup. 

We also completely determine the complexity of the model checking problem for all 
fragments of the extensions ECTL, CTL+, and ECTL+. 



1998 ACM Subject Classification: D.2.4, F.3.1, 1.2.2, 1.2.4. 

Key words and phrases: Model checking, temporal logic, complexity. 

* A preliminary version of this paper appeared in the proceedings of the conference TIME'09 [BMM"'"09] . 
Supported in part by grants DEC VO 630/6-1, VO 630/6-2, DAAD-ARC D/08/08881, and BC-ARC 
1323. 




IN COMPUTER SCIENCE D0I:1 0.21 68/LMCS-7 (2:12) 2011 © Creative Comrnonsl 



© O. Beyersdorff. A. M eier, M. Mundheni^, T. Schneider, M. Thomas, and H. Voiimer 



2 O. BEYERSDORFF, A. MEIER, M. MUNDHENK, T. SCHNEIDER, M. THOMAS, AND H. VOLLMER 



1. Introduction 

Temporal logic was introduced by Pnueli [Pnu77] as a formalism to specify and verify prop- 
erties of concurrent programs. Computation Tree Logic (CTL), the logic of branching time, 
goes back to Emerson and Clarke |EC82] and contains temporal operators for expressing 
that an event occurs at some time in the future (F), always in the future (G), in the next 
point of time (X), always in the future until another event holds (U), or as long as it is not 
released by the occurrence of another event (R), as well as path quantifiers (E, A) for speak- 
ing about computation paths. The full language obtained by these operators and quantifiers 
is called CTL* [ EH86) . In CTL, the interaction between the temporal operators and path 
quantifiers is restricted. The temporal operators in CTL are obtained by path quantifiers 
followed directly by any temporal operator, e.g., AF and AU are CTL-operators. Because 
they start with the universal path quantifier, they are called universal CTh-operators. Ac- 
cordingly, EX and EG are examples for existential CTL-operators. 

Since properties are largely verified automatically, the computational complexity of 
reasoning tasks is of great interest. Model checking (MC) — the problem of verifying whether 
a given formula holds in a state of a given model — is one of the most important reasoning 
tasks jSchnSj . It is intractable for CTL* (PSPACE-complete |EL87[ ISdlOS] ). but tractable 
for CTL (complete for polynomial time |CES86t ISch03| ). 

Although model checking for CTL is tractable, its P-hardness means that it is presum- 
ably not efficiently parallelizable. We therefore search for fragments of CTL with a model 
checking problem of lower complexity. We will consider all subsets of CTL-operators, and 
examine the complexity of the model checking problems for all resulting fragments of CTL. 
Further, we consider three additional restrictions affecting the use of negation and study 
the extensions ECTL, CTL"^, and their combination ECTL"*". 

The complexity of model checking for fragments of temporal logics has been examined 
in the literature: Markey |Mar04j considered satisfiability and model checking for fragments 
of Linear Temporal Logic (LTL). Under systematic restrictions to the temporal operators, 
the use of negation, and the interaction of future and past operators, Markey classified the 
two decision problems into NP-complete, coNP-complete, and PSPACE-complete. Further, 
[BMS"'"09] examined model checking for all fragments of LTL obtained by restricting the set 
of temporal operators and propositional connectives. The resulting classification separated 
cases where model checking is tractable from those where it is intractable. For model 
checking paths in LTL an AC^(LOGDCFL) algorithm is presented in jKF09]. 

Concerning CTL and its extension ECTL, our results in this paper show that most 
restricted versions of the model checking problem exhibit the same hardness as the general 
problem. More precisely, we show that apart from the trivial case where CTL-operators are 
completely absent, the complexity of CTL model checking is a dichotomy: it is either P- 
complete or LOGCFL-complete. Unfortunately, the latter case only occurs for a few rather 
weak fragments and hence there is not much hope that in practice, model checking can be 
sped up by using parallelism — it is inherently sequential. 

Put as a simple rule, model checking for CTL is P-complete for every fragment that 
allows to express a universal and an existential CTL-operator. Only for fragments involving 
the operators EX and EF (or alternatively AX and AG) model checking is LOGCFL-complete. 
This is visualized in Figure H] in Section [5l Recall that LOGCFL is defined as the class of 
problems logspace-reducible to context-free languages, and NL C LOGCFL C NC^ C P. 



MODEL CHECKING CTL IS ALMOST ALWAYS INHERENTLY SEQUENTIAL * 



3 



Hence, in contrast to inherently sequential P-liard tasks, problems in LOGCFL have very 
efficient parallel algorithms. 

For the extensions CTL"*" and ECTL"*", the situation is more complex. In general, model 
checking CTL+ and ECTL+ is A^-complete [LMSOlj . We show that for T C {A, E,X}, 
both model checking problems restricted to operators from T remain tractable, while for 
T ^ {A, E,X}, they become Ag-complete. Yet, for negation restricted fragments with only 
existential or only universal path quantifiers, we observe a complexity decrease to NP- resp. 
coNP-completeness. 

This paper is organized as follows: Section [2] introduces CTL, its model checking prob- 
lems, and the non-basics of complexity theory we use. Section [3] contains our main results, 
separated into upper and lower bounds. We also provide a refined analysis of the reductions 
between different model checking problems with restricted use of negation. The results are 
then generalized to extensions of CTL in Section HI Finally, Section [5] concludes with a 
graphical overview of the results. 

2. Preliminaries 

2.1. Temporal Logic. We inductively define CTL*-formulae as follows. Let $ be a finite 
set of atomic propositions. The symbols used are the atomic propositions in the constant 
symbols T, _L, the Boolean connectives A, and V, and the temporal operator symbols A, 
E, X, F, G, U, and R. 

A and E are called a path quantifiers, temporal operators aside from A and E are pure 
temporal operators. The atomic propositions and the constants T and _L are atomic formulae. 
There are two kinds of formulae, state formulae and path formulae. Each atomic formula 
is a state formula, and each state formula is a path formula. If ip, ip are state formulae 
and XjT'" are path formulae, then -k^, {if A if)), {ip V ip), Ax, Ex are state formulae, and -ix, 
(xAtt), (xVvr), Xx, Fx, Gx, [xUvr], and [xRtt] are path formulae. The set of CTL*-formulae 
(or formulae) consists of all state formulae. 

A Kripke structure is a triple K = (W,R,r]), where W is a finite set of states, R C 
W xW a total relation {i.e., for each w G W, there exists a w' such that {w, w') E R), and 
rj: W ^ ^{^) is a labelling function. A path x is an infinite sequence x = {xi,X2, . . .) € 
such that {xi,Xi^i) € R, for alH > 1. For a path x = (xi, X2, . . .) we denote by x* the path 
(Xj , Xj-|_l ,...). 

Let K = {W, R, rj) be a Kripke structure, w he a. state, and x = (xi, X2, . . . ) G W''^ 
be a path. Further, let (p, ip be state formulae and X) be path formulae. The truth of a 
CTL*-formula w.r.t. K is inductively defined as follows: 

K,w \= T always, 

K,w \= -L never, 

K,w \= p iff p G ^> and p G 7]{w) , 

K,w \= -193 iS K,w ^ (p, 

K,w \= {ip A Ip) iS K,w \= ip and K,w \= ip, 

K,w \= {ip V Ip) iS K , w \= ip 01 K,w \= Ip, 

K,w \= Ax iff X 1= X for all paths x = (xi, X2, • • •) with xi = w, 

K,x \= (p iff xi 1= ip, 

K,x \=^X iS K,x ^ X, 

K,x ^ (x A vr) iff iC, X \= x and K,x \= tt, 
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Figure 1: The expressive power of CTL(r). 

N (x V vr) iff x \= X oi K, X \= IT, 
K,x hXx iSK,X2hx 

K,x \= [xUtt] iff there is a A; E N such that K,x^ \= i: and K,x^ \= X foi' ^ < i < k. 
The semantics of the remaining temporal operators is defined via the equivalences: Ex = 
-lA-ix, fx = [TUx], Gx = ~'F-'X) and [xRtt] = -i[-ixU-i7r]. A state formula if is satisfied by 
a Kripke structure K if there exists w such that K,w \= if- We will also denoted this 
hj K ^ Lp. 

We use CTL*(r) to denote the set of CTL*-formulae using the Boolean connectives 
{a, V, -i}, and the temporal operators in T only. If T does not contain any quantifiers, then 
including any pure temporal operators in T is meaningless. 

A CTIj- formula is a CTL*-formula in which each path quantifier is followed by exactly 
one pure temporal operator and each pure temporal operator is preceded by exactly one path 
quantifier. The set of CTL-formulae forms a strict subset of the set of all CTL*-formulae. 
For example, AGEFp is a CTL-formula, but A(GFp A Fg) is not. CTL is less expressive than 
CTL* [EH851IEH86] . 

Pairs of path quantifiers and pure temporal operators are called CTlj-operators. The 
operators AX, AF, AG, AU, and AR are universal CTL-operators, and EX, EF, EG, EU, and 
ER are existential CTL-operators. Let ALL denote the set of all universal and existential 
CTL-operators. Note that A[V'Ux] = AFx A ^E[^xU(^V' A ^x)], and thus E[V'Rx] = EGx V 
E[xU('(/' A x)]- Hence {AX, AF, AR} is a minimal set of operators for CTL (in presence of all 
Boolean connectives), whereas {AX, AG, AU} is not |Lar95] . 

By CTL(T) we denote the set of CTL-formulae using the connectives {A,V,-i} and 
the CTL-operators in T only. Figure [U shows the structure of sets of CTL-operators with 
respect to their expressive power. 
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Moreover, we define the following fragments of CTL(T). 

— CTLpos(T) (positive) 

CTL-operators may not occur in the scope of a negation. 

— CTLa.n.(^) (atomic negation) 

Negation signs appear only directly in front of atomic propositions. 

— CTLmon(7') (monotone) 
No negation signs allowed. 

This restricted use of negation was introduced and studied in the context of linear temporal 
logic, LTL, by Sistla and Clarke |SC85| and Markey [Mar04| . Their original notation was 
L(r) for CTLa.n.(T) and L+(T) for CTLpos(r). 

2.2. Model Checking. Now we define the model checking problems for the above men- 
tioned fragments of CTL. Let C be CTL, CTLmon, CTLa.n., or CTLpos- 

Problem: C-MC{T) 

Input: A Kripke structure K = {W, R,r]), a state w G W, and an i2(T)-formula if. 
Question: Does K,w \= ip hold? 

2.3. Complexity Theory. We assume familiarity with standard notions of complexity 
theory as introduced in, e.g., |Pap94| . Next we will introduce the notions from circuit 
complexity that we use for our results. All reductions in this paper are <cd-i'eductions 
defined as follows: A language A is constant- depth reducible to B, A <cd B, if there is a 
logtime- uniform AC'^-circuit family with oracle gates for B that decides membership in A. 
That is, there is a circuit family C = (Ci, C2, C3, . . . ) such that 

— for every n, C„ computes the characteristic function of A for inputs of length n, 

— there is a polynomial p and a constant d such that for all input lengths n, the size of C„, 
is bounded by p{n) and the depth of Cn is bounded by d, 

— each circuit Cn consists of unbounded fan- in AND and OR gates, negation gates, and 
gates that compute the characteristic function of B (the oracle gates), 

— there is a linear-time Turing machine M that can check the structure of the circuit family, 

i.e., given a tuple {n, g, t, h) where n, g, h are binary numbers and t G {AND, OR, NOT, ORACLE}, 

M accepts if Cn contains a gate g of type t with predecessor h. 
Circuit families C with this last property are called logtime-uniform (the name stems from 
the fact that the time needed by M is linear in the length of its input tuple, hence logarithmic 
in n) . For background information we refer to |RV971 IVol99| . 

We easily obtain the following relations between model checking for fragments of CTL 
with restricted negation: 

Lemma 2.1. For every set T of CTh- operators, we have 

CTL^on-MC(r) <ed CTLa.n.-MC(r) <ed CTLpos -MC(r). 

Further, for model checking, atomic negation can be eluded, that is, CTLa.n. -MC(T) <cd 
CTL^on-MC(r). 
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Proof. The first part is straightforward, using the identity function as reduction function. 
For the second part, let K = {W,R,rj) be a Kripke structure and let ip he a CTLa.n.(^)" 
formula over the propositions ^ = {pi, . . . ,pn}- Every negation in ip appears inside a 
negative literal. We obtain ip' by replacing every negative literal with a fresh atomic 
proposition qi. Further define K' = {W,R,r]'), where rj'{w) = r]{w) U {qi \ pi ^ 
Obviously, KjW \= (p iE K', w \= ip' for all w G W. The mapping {K, w, ip) i— )■ [K\ w, ip') 
can be performed by an AC'^-circuit. □ 

In Section !?^ we complete the picture by proving CTLpos-MC(T) <cd CTLjnon-MC(T). 

The class P consists of all languages that have a polynomial-time decision algorithm. A 
problem is P-complete if it is in P and every other problem in P reduces to it. P-complete 
problems are sometimes referred to as inherently sequential, because P-complete problems 
most likely (formally: if P 7^ NC) do not possess NC-algorithms, that is, algorithms run- 
ning in poly logarithmic time on a parallel computer with a polynomial number of proces- 
sors. Formally, NC contains all problems solvable by polynomial-size polylogarithmic-depth 
logtime- uniform families of circuits with bounded fan-in AND, OR, NOT gates. 

There is an NC-algorithm for parsing context-free languages, that is, CFL C NC. There- 
fore, complexity theorists have studied the class LOGCFL of all problems reducible to 
context-free languages (the name "LOGCFL" refers to the original definition of the class in 
terms of logspace-reductions, however it is known that the class does not change if instead, 
as everywhere else in this paper, <cd-i'eductions are used). Hence, LOGCFL C NC (even 
LOGCFL C NC^, the second level of the NC-hierarchy, where the depth of the occurring 
circuits is restricted to 0(log^?T,)). The class LOGCFL has a number of different maybe 
even somewhat surprising characterizations, e.g., languages in LOGCFL are those that can 
be decided by nondeterministic Turing machines operating in polynomial time that have a 
worktape of logarithmic size and additionally a stack whose size is not bounded. 

More important for this paper is the characterization of LOGCFL as those problems 
computable by SAC^ circuit families, that is, families of circuits that 

— have polynomial size and logarithmic depth, 

— consist of unbounded fan-in OR gates and bounded fan-in AND gates and negation gates, 
but the latter are only allowed at the input-level, 

— are logtime- uniform (as defined above). 

Since the class LOGCFL is known to be closed under complementation, the second 
condition can equivalently be replaced to allow unbounded fan-in AND gates and restrict 
the fan-in of OR gates to be bounded. 

To summarize: 

NC^ C L C NL C LOGCFL = SAC^ C NC^; 

and problems in these classes possess very efficient parallel algorithms: they can be solved 
in time 0(log^ n) on a parallel machine with a tractable number of processors. For more 
background on these and related complexity classes, we refer the reader to |Vol99] . 

3. Model Checking CTL and CTLpos 

This section contains our main results on the complexity of model checking for CTL and 
CTLpos- We defer the analysis of the fragments CTLa.n. and CTLmon to Section [33| where 
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we will see that their model-checking problems are computationally equivalent to model 
checking for CTLpos- 

While model checking for CTL in general is known to be polynomial time solvable and 
in fact P-complete |CES861 ISch03j . we improve the lower bound by showing that only one 
temporal operator is sufficient to obtain hardness for P. 

Theorem 3.1. For each nonempty setT of CT\j- operators, CTL-MC(T) is -complete. If 
T = %, then CTL-MC(r) is -complete. 

If we consider only formulae from CTLpos, where no CTL-operators are allowed inside 
the scope of a negation, the situation changes and the complexity of model checking exhibits 
a dichotomous behavior. As long as EG or AF are expressible the model checking problem 
remains P-complete. Otherwise, its complexity drops to LOGCFL. 

Theorem 3.2. Let T be any set of CTL-operators. Then CTLpos-MC(r) is 

- -complete ifT = %, 

- LOGCYL- complete if ^ C T <Z {EX, EF} or C T C {AX, AG}, and 

- V-complete otherwise. 

We split the proofs of Theorems 13.11 and 13.21 into the upper and lower bounds in the 
following two subsections. 

3.1. Upper Bounds. In general, model checking for CTL is known to be solvable in P 
|CES86| . While this upper bound also applies to CTLpos-MC(T) (for every T), we improve 
it for positive CTL-formulae using only EX and EF, or only AX and AG. 

Proposition 3.3. Let T he a set of CTL-operators such that T C {EX, EF} or T CI 
{AX, AG}. Then CTLpos-MC(r) is in LOGCFL. 

Proof. First consider the case T C {EX, EF}. We claim that Algorithm 1 recursively decides 
whether the Kripke structure K = (VF,i?, ry) satisfies the CTLpos (7")-formula ip in state 
Wo G W. There, 5 is a stack that stores pairs {^,w) G CTLpos(r) x W and R* denotes the 
transitive closure of R. 

Algorithm 1 always terminates because each subformula of f is pushed to the stack 
S at most once. For correctness, an induction on the structure of formulae shows that 
Algorithm 1 returns false if and only if for the most recently popped pair w) from S, 
we have K,w ^ ip. Thence, in particular, Algorithm 1 returns true iS K,w \= (p. 

Algorithm 1 can be implemented on a nondeterministic polynomial-time Turing machine 
that besides its (unbounded) stack uses only logarithmic memory for the local variables. 
Thus CTLpos-MC(r) is in LOGCFL. 

The case T C {AX, AG} is analogous and follows from closure of LOGCFL under com- 
plementation. □ 

Finally, for the trivial case where no CTL-operators are present, model checking CTL(0)- 
formulae is equivalent to the problem of evaluating a propositional formula. This problem 
is known to be solvable in NC^ [Bus87]. 
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Algorithm 1 Determine whether K, wq \= (p. 

Require: a Kripke structure K = {W,R,r]), wq £ W, if € CTLpos(r) 

1: push(5, Wo)) 

2: while S is not empty do 

3: {ip,w) ^ pop{S) 

4: if is a prepositional formula then 

5: if if evaluates to false in w under r] then 

6: return false 

7: end if 

8: else if cp = a A P then 

9: pushes , {/3 , w)) 
10: push(S', (a, If)) 
11: else if (/? = a V /3 then 
12: nondet. push(S', (a, if)) or push(5, (/3, w)) 
13: else it ip = EXa then 
14: nondet. choose w' € {w' \ {w, w') € R] 
15: push(S', (a, If')) 
16: else if = EFa then 
17: nondet. choose w' G {w' \ {w,w') € R*} 
18: push(S', (a, 1/;')) 
19: end if 
20: end while 
21: return true 



3.2. Lower Bounds. The P-hardness of model checking for CTL was first stated in [Sch03] . 
We improve this lower bound and concentrate on the smallest fragments of monotone CTL — 
w.r.t. CTL-operators — with P-hard model checking. 

Proposition 3.4. Let T denote a set of CTIj- operators . Then CTLmon" 

MC(r) is P-hard 

ifT contains an existential and a universal CTL-operator. 

Proof. First, assume that T = {AX, EX}. We give a generic reduction from the word problem 
for alternating Turing machines working in logarithmic space, which follows the same line 
as the classical proof idea (see [SchOSl Theorem 3.8]), and which we will modify in order 
to be useful for other combinations of CTL-operators. Let M be an alternating logspace 
Turing machine, and let x be an input to M. We may assume w.l.o.g. that each transition 
of M leads from an existential to a universal configuration and vice versa. Further we may 
assume that each computation of M ends after the same number p{n) of steps, where p is a 
polynomial and n is the length of M's input. Furthermore we may assume that there exists 
a polynomial q such that g(n) is the number of configurations of M on any input of length 
n. 

Let ci,...,Cq(„) be an enumeration of all possible configurations of M on input x, 
starting with the initial configuration ci. We construct a Kripke structure K := {W,R,ri) 
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{t}, if Ci is an accepting configuration and j = p{n) 
0, otherwise 



by defining the set W := {c^ | 1 < i < q{n),0 < j < pin)^ and the relation i? C 1/F x W as 
{('^''^^^) I ^ reaches configuration from Cj in one step,0 < j < p{n)^ 

U { (c^ , ) I has no successor, 1 <i < q{n) , < j < p{n) } 

U|(cPH,cf("))|l<i<g(n)}. 
The labeUing function r/ is defined for all S as 

where t is the only atom used by this labelling. It then holds that 

M accepts x K, ci \= tpi(^'tp2{- ■ ■ V'p(n) (*)) ' ' ' ) , 

where ipi{x) := AX(x) if M's configurations before the ith step are universal, and ipi{x) := 
EX{x) otherwise. Notice that the constructed CTL-formula does not contain any Boolean 
connective. Since p{n) and q{n) are polynomials, the size of K and if is polynomial in the 
size of (M, x). Moreover, K and tp can be constructed from M and x using AC*^-circuits. 
Thus, A <cd CTLmon-MC({AX, EX}) for all A G ALOGSPACE = P. 

For T = {AF, EG} we modify the above reduction by defining the labelling function rj 
and the formula tpi as follows: 

{dj,t}, if Ci is an accepting configuration and j = p(n) 
{dj\, otherwise 

(3.1) 

rAF(dj Ax), if M's configurations before step i are universal, 
\EG(L>j V x), otherwise, 
where dj are atomic propositions encoding the 'time stamps' of the respective configurations 

and A = Vi^jg{o,...,p(n)}^i- 

For the combinations of T being one of {AF, EF}, {AF, EX}, {AG, EG}, {AG, EX}, 
{AX, EF}, and {AX, EG}, the P-hardness of CTLmon-MC(T) is obtained using analogous 
modifications to ry and the ipiS. 

For the remaining combinations involving the until or the release operator, observe that 
w.r.t. the Kripke structure K as defined in ()3.ip . AF(dj A x) and EG(-Dj V x) are equivalent 
to A[dj_iUx] and E[(ij_iUx], and that R and U are duals. □ 

In the presence of arbitrary negation, universal operators are definable by existential 
operators and vice versa. Hence, from Proposition 13.41 we obtain the following corollary. 

Corollary 3.5. The model checking problem CTL-MC(T) is F-hard for each nonempty set 
T of CTL-operators. 

Returning to monotone CTL, in most cases even one operator suffices to make model 
checking P-hard: 

Proposition 3.6. Let T denote a set of CTIj- operators . Then CTLmon" 

MC(T) is F-hard 

if T contains at least one of the operators EG, EU, ER, AF, AU, or AR. 

Proof. We modify the proof of Proposition 13.41 to work with EG only. The remaining frag- 
ments follow from the closure of P under complementation and Fx = ^Q^x = [TUx], 
[xUvr] = -hxR-vr]. 
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Figure 2: The Kripke structure K'; dashed (resp. soUd) arrows correspond to transitions 
leaving existential (resp. universal) configurations. 



Let the machine M, the word x, the polynomials p, g, and K be as above. Further 
assume w.l.o.g. that M branches only binary in each step. Denote by (resp. Wy) the 
set of states corresponding to existential (resp. universal) configurations. The purpose 
of the introduced layers below is to ensure the uniqueness of the successors of universal 
configurations which is essential in the construction of ipi later. We construct a Kripke 
structure K' := {W\R,vi) consisting of q{n) + 1 layers and a 'trap' as follows: let W' := 
X {1, . . . , q{n) + 1} U {z}. The transition relation i? C VF' x W' is defined as 

G W^,M reaches from q in one step, 
1 < £ < q{n) + 1,0 < J <p{n) 



€ M reaches Ck and Ck' from Cj in 
one step, Cfc < Cfe', < j < p{n) 



U ((4+\i),(4+\g(n) + l)), 
l((4+\g(n) + l),z) 

U {((cf^"\^), (cf^"\^)) \l<i< qin), l<i< gin) + l} 
U {{z,z)}. 

That is, the arcs leaving an existential configurations q lead to the successor configurations 
of Ci inside each layer; while any universal configuration Cj has exactly one outgoing arc 
pointing to its (lexicographically) first successor configuration in the layer i, from where 
another arc leads to the second successor of q in layer q{n) + 1, which in turn has an 
outgoing arc to the state z (see Figure[2]). The labelling function t] is defined as r]{z) := {z}, 
r/((4,£)) := {£,dj,t} if q is an accepting configuration, and otherwise r/((4,£)) := {i,dj} 
for il<e< q{n) + 1). Define 

EG(di_i V {di A x) V 2;),if M's configurations before step i are universal, 
EG(Z)i V x),if M's configurations before step i are existential. 
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and Di = \J ^^ji^^Q p{n)}^j- '^^^ correctness of the equivalence K,w \= Af{di A x) iff 
K', {w,£) \= EG(di„i V {di A x) V z)), for all u; G Wy, 1 < ^ < q{n) + 1 and 1 < i < p{n) 
can be verified through the following observations. if di and x hold in all successors 
of w in K, then there exists a path from {wji) to both of the series-connected successors 
reaching the trap and looping there. This is the only possibility for the path as neither 
nor di hold below that level. As in each successor configuration the subformula di Ax must 
be satisfied the composition of the ipiS ensures that in each such state there must start an 
EG-path for each universal successor. <^=: the only path which satisfies at least one of the 
three disjuncts ranges through both series-connected successor configurations and ends in 
the trap. For each of the two successor states di and x hold. Thus AF((ij A x) is true in the 
state w in the structure K. 

From this, it easily follows that for 

M accepts X ^ i^', (c?, 1) ^ Vi (V'2( • • • V'phW) • • • ) • 

As we essentially only duplicated the set of states in K and R can be constructed from all 
triples of states in W', K' remains AC'^ constructible. Concluding A <cd CTLinon-MC({EG}) 
for ah AeF. □ 

By Lemma 12.11 CTLjnon-MC(r) <cd CTLpos-MC(T) and hence the above results 
directly translate to model checking for CTLpos: for any set T of temporal operators, 
CTLpos-MC(r) is P-hard if T ^ {EX, EF} or if T ^ {AX, AG}. These results cannot 
be improved w.r.t. T, as for T C {EX, EF} and T C {AX, AG} we obtain a LOGCFL upper 
bound for model checking from Proposition 13.31 In the following proposition we prove the 
matching LOGCFL lower bound. 

Proposition 3.7. For every nonempty set T of CTL- operators, the model checking problem 
CTLmon-MC(r) is LOGCFL-hard. 

Proof. As explained in Section [2.3| LOGCFL can be characterized as the set of languages 
recognizable by logtime-uniform SAC^ circuits, i.e., circuits of logarithmic depth and poly- 
nomial size consisting of V-gates with unbounded fan-in and A-gates with fan-in 2. For 
every single CTL-operator O, we will show that CTLmon-MC(r) is LOGCFL-hard for ah 
T D {0} by giving a generic <cd-reduction / from the word problem for SAC^ circuits to 
CTL„,on-MC(r). 

First, consider EX € T. Let C be a logtime-uniform SAC^ circuit of depth £ with 
n inputs and let x = xi . . . x„ G {0,1}". Assume w.l.o.g. that C is connected, layered 
into alternating layers of A-gates and V-gates, and that the output gate of C is an V- 
gate. We number the layers bottom-up, that is, the layer containing (only) the output gate 
has level 0, whereas the input-gates and negations of the input-gates are situated in layer 
i. Denote the graph of C by G = {V,E), where V := Vi^ 1+) Fa Vv is partitioned into 
the sets corresponding to the (possibly negated) input-gates, the A-gates, and the V-gates, 
respectively. G is acyclic and directed with paths leading from the input to the output 
gates. From {V, E) we construct a Kripke structure that allows to distinguish the two 
predecessors of an A-gate from each other. This will be required to model proof trees using 
CTLmon({EX})-formulae. 
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For i € {1, 2}, let T/^ := {v' \ v e Mn}, := {v' \ v e Vv} and define V^y := V^^ U V^. 
Further define 

E' := £ V/s, X V:^l^\y \ {u,v) ^ E and u is the ith predecessor of 

u{{v,v)\vev^uv;i}u (j {iv\u)eVi^^xV;,\{u,v)eE}, 

ie{l,2} 

where the ordering of the predecessors is imphcitly given in the encoding of C. We now 
define a Kripke structure K := {V',E',r]) with states V := T^J^ ^ U l^j^ v ^ transition 
relation E', and labelling function rj : V' ^ 2, t}), 

{i, t}, if {v = Vin^ G and = 1) or {v = vin, e a'^'i = 0)' 
r]{v) := < {i}, if {v = Vin^ € V^"^ and = 0) or {v = Uin^ S and Xj = 1) or f G F^, 
0, otherwise, 

where i = 1,2, j = l,...,n and vim, ■ ■ ■ ,Vin„i ^im > • • • , ^^in^ enumerate the input gates 
and their negations. The formula ip that is to be evaluated on K will consist of atomic 
propositions 1, 2 and t, Boolean connectives A and V, and the CTL-operator EX. To 
construct f we recursively define formulae {ifi)o<i<i by 

't, iii = i, 

ipi := < EX(/3j_|_i, if i is even (V-layers), 

Aj=i 2 EX(i A ^i+i), if i is odd (A-layers). 

We define the reduction function / as the mapping (C, x) i-^ {K,vo,ip), where vq is the 
node corresponding to the output gate of C and (p := (pQ. We stress that the size of (p is 
polynomial, for the depth of C is logarithmic only. Clearly, each minimal accepting subtree 
(cf. |Ruz80j or |Vol99l Definition 4.15]) of C on input x translates into a sub-structure K' 
of K such that K',vq \= ip, where 

(1) K' includes vq, 

(2) K' includes one successor for every node corresponding to an V-gate, and 

(3) K' includes the two successors of every node corresponding to an A-gate. 

As C(x) = 1 iff there exists a minimal accepting subtree of C on x, the LOGCFL-hardness 
of CTLmon-MC(r) for EX G T fohows. 

Second, consider EF G T. We have to extend our Kripke structure to contain informa- 
tion about the depth of the corresponding gate. We may assume w.l.o.g. that C is encoded 
such that each gate contains an additional counter holding the distance to the output gate 
(which is equal to the number of the layer it is contained in, cf. |Vol99j ) . We extend r/ 
to encode this distance i, 1 < i < £, into the "depth-propositions" di as in the proof of 
Proposition 13.41 Denote this modified Kripke structure by K'. Further, we define (Vi)o<i<^ 
as 

EF(di+i A (Pi_^_i), if i is even, 

. Aj=i,2 EF(di+i A i A 'p'i_^.l), if i is odd. 
Redefining the reduction / as (C, x) i-^ {K' ,vo,ipQ) hence yields the LOGCFL-hardness of 
CTLmon-MC(r) for EF G T. 

Third, consider AX G T. Consider the reduction in case 1 for CTLmon({EX})-formulae, 
and let /(C, x) = {K, vq, ip) be the value computed by the reduction function. It holds that 
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C(x) = 1 iff K,vo \= (f, and equivalently C(x) = iff K,vo \= -193. Let ip' be the formula 
obtained from -k/? by multiplying the negation into the formula. Then ip' is a CTLa.n.({AX})- 
formula. Since LOGCFL is closed under complement, it follows that CTLa.n.-MC({AX}) is 
LOGCFL-hard. Using Lemma EH we obtain that CTLmon-MC({AX}) is LOGCFL-hard, 
too. An analogous argument works for the case AG G T. The remaining fragments are even 
P-complete by Proposition I3.6i □ 

Using Lemma 12.11 we obtain LOGCFL-hardness of CTLpos-MC(T) for all nonempty 
sets T of CTL-operators. 

In the absence of CTL-operators, the lower bound for the model checking problem again 
follows from the lower bound for evaluating monotone propositional formulae. This problem 
is known to be hard for NC^ |Bus87l ISchTO] . 

3.3. The Power of Negation. We will now show that model checking for the fragments 
CTLa.n. and CTLpos is computationally equivalent to model checking for CTLjnoin for any 
set T of CTL-operators. Since we consider <cd-i'eductions, this is not immediate. 

From Lemma I2. II it follows that the hardness results for CTLjnon-MC(T) also hold for 
CTLa.n.-MC(r) and CTLpos-MC(r). Moreover, the algorithms for CTLpos-MC(r) also 
work for CTLmon-MC(T) and CTLa.n.-MC(T) without using more computation resources. 
Both observations together yield the same completeness results for all CTL-fragments with 
restricted negations. 

Theorem 3.8. Let T be any set of CTL-operators. Then CTLmon-MC(r), CTLa.n. -MC(r), 
and CTLpos -MC(T) are 

— NC^ -complete if T is empty, 

— LOGCFL-complete if^CT Q {EX, EF} or C T C {AX, AG}, 

— P-complete otherwise. 

Moreover, the problems CTLmon-MC(T), CTLa.n. -MC(T), and CTLpos -MC(T) are equiv- 
alent w.r.t. <cd-reductions. 

This equivalence extends Lemma l2. II We remark that this equivalence is not straight- 
forward. Simply applying de Morgan's laws to transform one problem into another requires 
counting the number of negations on top of A- and V-connectives. This counting cannot 
be achieved by an AC^-circuit and does not lead to the aspired reduction. Here we obtain 
equivalence of the problems as a consequence of our generic hardness proofs in Section 13.21 

4. Model Checking Extensions of CTL 

It has been argued that CTL lacks the ability to express fairness properties. To address 
this shortcoming, Emerson and Halpern introduced ECTL in [EH86j . ECTL extends CTL 

with the F-operator, which states that for every moment in the future, the enclosed formula 
will eventually be satisfied again: for a Kripke structure K, a path x = (xi,X2, . . •), and a 
path formula x 

oc 

K,x^fx iff K, x' ^ Fx for ah i G N. 

00 

The dual operator G is defined analogously. As for CTL, model checking for ECTL is known 
to be tractable. Moreover, our next result shows that even for all fragments, model checking 
for ECTL is not harder than for CTL. 
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Algorithm 2 Case distinction for EF 

oo 

1: else if (f = EFa then 

2: nondet. choose k < \W\ and a path (wi)i<i<fc such that (wjWi) € R*, {wk,wi) G R 
3: nondet. choose some 1 < i < A; and push(S', {a,Wi)) 
4: end if 



Theorem 4.1. Let T be a set of temporal operators. Then ECTL-MC(r) =cd CTL-MC(r') 

oo 

and ECTLpos-MC(T) =cd CTLpos-MC(T'), where T' is obtained from T by substituting F 

oo 

with F and G with G. 

oo oo 

Proof. For the upper bounds, notice that ECTL-MC(ALLU {EF, AF}) G P. It thus remains 

oo oo 

to show that ECTLpos-MC(r) e LOGCFL for T C {EX, EF, EF} and T C {AX, AG, AG} 

oo oo 

First, consider the case that T C {EX, EF, EF}. We modify Algorithm 1 to handle EF by 
extending the case distinction in lines HHT91 with the code fragment given in Algorithm 1. 

oo 

The algorithm for T C {AX, AG, AG} is analogous and membership in LOGCFL follows 
from its closure under complementation. 

For the lower bounds, we extend the proofs of Propositions 13.41 13.61 and 13.71 to handle 

oo oo oo oo 

sets T involving also the operators AF, AG, EF, and EG. Therefore, we only need modify 
the accessibility relation R of respective Kripke structure K to be reflexive. The hardness 

oo oo 

results follow by replacing F with F and G with G in the respective reductions. 

First consider the case that T contains an existential and a universal operator, say 

oo oo 

T = {AF, EG}. Let M, x, and p be defined as in the proof of Proposition [331 We map (M, x) 
to {K, V'l)) where K = (W, R, rj) is the reflexive closure of the Kripke structure K defined 

for the P-hardness of CTL-MC({AF, EG}), c? G W, and ^ := ^i{4>2{- ■ ■ %{n)ii)) ■ ■ 
where 

{oo 
/Kf{di Ax), if M's configurations in step i are universal, 
oo 
EG{Di V x), otherwise. 

In K it now holds that di G 7]{w) and (wjw') G R together imply that either w = w' or 

~ oc 

di ^ r}{w). Hence, for ailw and 1 < i < p(|x|), K,w\= /Kf{diAx) iS K,w \= /Kf{diAx), 

~ oo 

and K,w ^ EG(Vi^je{o,...,p(„)} c^i V x) iS K,w ^ EG(Vi^jg{o,...,p(„)} V x). From this, 
correctness of the reduction follows. The P-hardness of CTL-MC(r) for the remaining 
fragments follows analogously. 

As for T C {EX, EF, EF}, we will show that ECTLmon-MC(r) is LOGCFL-hard under 

oo 

<cd-reductions for T = {EF}. Let C, x, and £ be as in the proof of Proposition 13.71 We 
map the pair (C, x) to the triple {K',vo,ifo), where K' = {V',E',rj) is the reflexive closure 
of the Kripke structure K' defined for the LOGCFL-hardness of CTL-MC({EF}), vq G V, 
and ipo is recursively defined via {^p'i)o<i<i as 

't, ifi = £, 

oo 

ipi := < EF((ii+i A ipi+i), if i is even, 

oo 

. Ai=i,2 EF(di+i A i A ^Pi+i), if i is odd. 
Again, we have that in K', di G rj{v) and {v,v') G E' together imply that either v = v' or 

~ oo 

di ^ r]{v'). It hence follows K',v \= Ef{di A (pi) iff K',v \= Ef{di A ipi), for all v £ V and 



tpi{x) 
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l<i <e. We conclude that ECTLmon-MC({EF}) is LOGCFL-hard. The case T = {AG} 
fohows analogously. □ 

We will now consider CTL"*", the extension of CTL by Boolean combinations of path 
formulae which is defined as follows. A CTL~^ -formula is a CTL*-formula where each pure 
temporal operator in a state formula occurs in the scope of a path quantifier. The set of 
all CTL-formulae is a strict subset of the set of all CTL'^-formulae, which again forms a 
strict subset of the set of all CTL*-formulae. For example, AGEFp and A(Gp A fq) are 
CTL^-formulae, but AGFp is not. However, CTL is as expressive as CTL"*" [EH85) . 

By CTL+(r) we denote the set of CTL+-formulae using the connectives {A,V,-i} 
and temporal operators in T only. Analogous to the fragments CTLpos(T'), CTLa.n. (r), 
and CTLmon(7'), we define CTLpog(T), CTL^^ (T), and CTL^on(T) as those fragments 
of CTL^(r) that disallow temporal operators in the scope of negations, contain negation 
signs only directly in front of atomic propositions, and do not contain negation signs at all, 
respectively. 

In contrast to CTL, model checking for CTL"*" is not tractable, but A2-complete 
[LMSOl] . Below we classify the complexity of model checking for both the full and the 
positive fragments of CTL^. 

Theorem 4.2. Let T be a set of temporal operators containing at least one path quantifier. 
Then CTL+-MC(r) is 

- -complete if T <Z {A, E}, 

- V -complete i/ {X} C T C {A, E,X}, and 

- /S^-complete otherwise. 

Proof. If T C {A, E} then deciding CTL^-MC(T) is equivalent to the problem of evaluating 
a propositional formula, which is known to be NC^-complete |Bus87l [SchlO] . 

If {X} C T C {A, E,X}, then CTL+-MC(r) can be solved using a labelling algorithm: 
Let K = {W,R,ri) be a Kripke structure, and 99 be a CTL"'"({A, E, X})-formula. Assume 
w.l.o.g. that 99 starts with an E and that it does not contain any A's. Compute K,w \= 'ip for 
all w G PV^ and all subformulae EV' of ip such that ip is free of path quantifiers, and replace 

in 93 with a new proposition p^ while extending the labelling function 77 such that 
p^ € r]{w) <J=^ K,w \= ^J. Repeat this step until cp is free of path quantifiers and denote 
the resulting (propositional) formula by f'. To decide whether K,w \= (p for some w E W, it 
now suffices to check whether ip' is satisfied by the assignment implied by r]{w). As for all of 
the above subformulae Eip oiip, ip G CTL'''({X}), it follows that K,w \= Tp can be determined 
in polynomial time in the size of K and ip. Considering that the number of labelling steps 
is at most 0{\(p\ ■ \W\) it follows that CTL+-MC(r) is in P. The P-hardness follows from 
CTL-MC({EX}) <cd CTL+-MC({E,X}) resp. CTL-MC({AX}) <cd CTL+-MC({A, X}). 

For all other possible sets T, we have rn{E, A} 7^ and rn{F, G, U} 7^ 0. Consequently, 
each of the temporal operators A, E, F, and G can be expressed in CTL^(r). The claim 
now follows from |LMS01| . □ 

For the positive fragments of CTL^ we obtain a more complex picture: 

Theorem 4.3. Let T be a set of temporal operators containing at least one path quantifier. 
Then CTL+ 3-MC(r) is 

- NC^ -complete ifTC {A, E}, 

- LOGCFL-complete if T = {A, X} or T = {E, X}, 
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— F -complete ifT = {A, E,X}, 

— NP-complete i/ E € T, A T and T contains a pure temporal operator aside from X, 

— coHV -complete if A G T, E T and T contains a pure temporal operator aside from X, 
and 

— I^^-complete otherwise. 

Proof. The first and third claim follow from Theorem 14.21 and the monotone formula value 
problem being NC^-complete [SchlOj . 

For the second claim, consider the case T = {E, X}. It is straightforward to adopt 
Algorithm 1 to guess a successor w' of the current state once for every path quantifier 
E that has been read and decompose the formula w.r.t. w' . For T = {A, X} analogous 
arguments hold. 

The fourth claim can be solved with a labelling algorithm analogously to the algorithm 
for CTL'^-MC({A, E, X}). In this case, however, whole paths need to be guessed in the 
Kripke structures. Hence, we obtain a polynomial time algorithm deciding CTLpQg-MC(T) 
using an oracle B G NP (resp. B € coNP) . This algorithm is furthermore a monotone <!^- 
reduction from CTLpQg-MC(r) to B, in the sense that for any deterministic oracle Turing 
machine M that executes the algorithm, 

ACB ^ L{M,A) C L{M,B), 

where L{M,X) is the language recognized by M with oracle X. Both NP and coNP are 
closed under monotone <!^-reductions |Sel82j . We thus conclude that CTLpQg-MC(r) G NP 
(resp. CTL+ 3-MC(r) G coNP). 

As for the NP-hardness of CTLpQg-MC(T), note that the reduction from 3SAT to 
LTL-MC({F}), the model checking problem for linear temporal logic using the F-operator 
only, given by Sistla and Clarke in |SC85| is a reduction to CTL+og-MC({E, F}) indeed. 
The NP-hardness of CTLpQg-MC({E, G}) is obtained by a similar reduction: let ip he a 
propositional formula in 3CNF, i.e., (p = AiLi ^« with Cj = in V £i2 V iis and £ij = Xk 
or iij = -iXfc for all 1 < i < n, all 1 < J < 3, and some 1 < k < m. Recall that for 
a set A, y A denotes the disjunction \/aeA'^- ^ ^° triple {K,yQ,ip), where 

K = {W, R, 7]) is the Kripke structure given in ([H]) and Tp := E Vj=i G V(^ \ }) 
with <I> := {uq, yi,Xi,Xi | 1 < « < m} and denoting the complementary literal of £ij. 

W := {yo} U {xi,Xi,yi | 1 < i < m}, 

R ■= {{yi-i,Xi), {xi,y.i), {xi,yi) | 1 < i < m} U {{ym,ym)}, (4.1) 

r]{w) := {w} for all w GW. 

Note that the above reductions prove hardness for CTL^oq-MC(T) already. The coNP- 
hardness of CTL+,s-MC({A, G}) and CTL+og-MC({A, F}) follows from the same reductions. 

As for the the last claim, note that the Ag-hardness of CTL'''-MC({A, E, F, G}) carries 
over to CTL^Q^-MC({A, E, F, G}), because any CTL"''({A, E, F, G})-formula can be trans- 
formed into a CTLj^jj ({A, E, F, G})-formula, in which all negated atoms may be replaced 
by fresh propositions p that are mapped into all states of the Kripke structure whose label 
does not contain p. It thus remains to prove the A2-hardness of CTL+,g-MC({A, E, F}) and 
CTL+„,-MC({A, E,G}). Consider CTL+ 3-MC({A, E, G}). Laroussinie et al. reduce from 
SNSAT, that is the problem to decide, given disjoint sets Zi, . . . , Z„ of propositional vari- 
ables from {zi, . . . , Zp} and a list ipi{Zi), ip2{xi, Z2), . . . , ipnixi, . . . , Xn, Zn) of formulae in 
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Figure 3: Extended version of the Kripke structure constructed in iLMSOU Figure 3]. 



conjunctive normal form, whether x„ holds in the unique valuation a defined by 

a{xi) = T <^=^ ^i{xi, . . . ,Xi-i,Zi) is satisfiable. (4-2) 

An instance I of SNS AT is transformed to the Kripke structure K depicted in Figure [3] and 
the formula ip2n-i that is recursively defined as 



1=1 i=l i=l 



(A) 

n n 

A g(/\^c,) a /\(fx,^/\\/F£,,,. 

i=l i=l j m 



(B) (C) 
for 1 < A; < n, tpo := T, and ipi = AjVm^ 

i,j,mi where the iij^m^s are literals over 
{xi, . . . , Xn}^Zi. Note that the structure K from Figure [3] differs from the Kripke structure 
constructed in [LMSOlj in that we introduce different labels and for 1 < i < n and 
j G {00,01,10,11}, as we need to distinguish between the states later on. The intuitive 
interpretation of (B) is that the existentially quantified path does actually encode an as- 
signment of {xi, . . . ,Xn} to {_L,T}, while (C) states that this assignment coincides with 
a on all propositions that are set to T. Lastly (A) expresses the recursion inherent in the 
definition of SNSAT. It holds that I G SNSAT ^ K,Xnh ^2n-i (see [LMSOlj for the 
correctness of this argument). 

We modify the given reduction to not use F. First note that V'fc-i occurs negatively in ipk. 
We will therefore consider the formulae ip2n-i,'4'2n-3, • • • > "01 ^4'2n-2-, ^4'2n-i-, ■ ■ ■ , ^tp2 
separately. In ip2n-i,ip2n-3, ■ ■ ■ replace 

n n n n 

- (A) with g( ^ E(G A -fiOi A ^sf A -s^) A G{\/ Xi y \/ a y 

i=l i=l 1=1 i=l 

n 



- (C) with /\ (g-x, V /W g V^*^ \ {-^k,,m})) ; 

1=1 j m 

and in -■V'2n-2, ~'V'2n-4, • • • , -^ip2 replace 

-(A)with V G(\/('J'\{^i}) VA(G(\/^\{ca)vG(c,V7/.fe_i)), 



l<j<n 
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- (B) with V G \/(^ \ {sT, and 

i=2 

n 

- (C) with V (g \ {Xi)) A V A ^^k3,m) , 



i=l j 

where $ := {xijSj, Cj, s°°, 5°-*^, s|°, sp \ I < i < n} U {zi,Zi \ I < i < p} is the set of ah 
propositions used in K. Denote the resulting formulae by A; > 0. In tl^'j^, all negations 
are atomic and only the temporal operators E, A and G are used. 

To verify that K, Xk \= ipk <^=^ K, Xk \= i^'^ for all < /c < 2n, consider ip^ with k odd 
first. Suppose K,Xk \= ipk- Then, by (A), there exists a path n in K such that whenever 
some Xi is labelled in the current state TTp, then there exists a path vr' starting in VTp that 
never visits any state labelled with sj, 1 < i < n, j & {00, 01, 10, 11}, and eventually falsifies 
ipk-i because it reaches a state where neither nor Cj holds for all 1 < z < n. Hence, by 
construction of K, vr' has to visit the states labelled with Cj and Xi for i such that Xi G rjiiTp). 
This is equivalent to the existence of a path vr' starting in tt^ which never visits any state 
labelled with sj, 1 < i < n, j € {00, 01, 10, 11}, and that falsifies V'fc-i if the current state is 
not labelled with Cj or Xj for all 1 < z < n. Hence the substitution performed on [A] does 
not alter the set of states in K on which the formula is satisfied. 

The formula (C), on the other hand, states that whenever the path vr quantified by the 
outmost E in V'fc visits the state labelled Xj, then for every clause j in the ith formula ipi of 
given SNSAT instance at least one literal 4,j,m occurs in the labels on tt (i.e., (pi is satisfied 
by the assignment induced by vr). The path vr is guaranteed to visit either a state labelled 
Xi or a state labelled Xi but not both, by virtue of the subformula {B). Therefore, the 
eventual satisfaction of Xi is equivalent to globally satisfying -i.Xj, whereas the satisfaction 
of ifi can be asserted by requiring that for any clause some literal is globally absent from 
the labels on vr. Thus the substitution performed on (C) does not alter the set of states on 
which the formula is satisfied either. Concluding, K,Xk \= ipk K,Xk \= ip'^ for all odd 

< A; < 2n. 

Now, if k is even, then 



nV-jfc = A 



n n n 

■■[\/x,AA{F \/isr V V sf V .P) V G( V X. ^ 
i=l 1=1 i=l 



(A) 

n n 

V f( V q) V V (fxi A V A G-4,i,m) 



Here, {A) asserts that on all paths vr there is a state vr^ such that Xj € vi'^p) fo'^ some 
I < i < n and all paths vr' starting in vr^ eventually visit a state labelled with s^, 1 < i < n, 
j € {00, 01, 10, 11}, or satisfy V'fc-i whenever Xi G r]{7rp) for some 1 < i < n. By construction 
of K, this is equivalent to stating the all paths vr' either pass the state labelled Cj and globally 
satisfy q V ipk-i or do not pass the state labelled Cj. As for the states in K the formula 
F(V"=i^/\x) =V"=iF(xIAx) is satisfied iff V^Li G( V(^ \ {^i}) V x) is satisfied, the set 
of states in K on which the ipk is satisfied remains unaltered when substituting (A) with 
Vi<Kn G ( V(* \ {^i}) V A(G(V $ \ {q}) V G(c V Vfc-i) ) . 
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Similarly, the set of states in K on which the ipk is satisfied remains unaltered when 
substituting (B) with V"=2'^V(^ \ Si^i}), as any path in K that visits a 

state labelled with some q cannot pass via states labelled with s^^, s^^, s^^^, or sj^^. 

Finally, the equivalence of i/^k with VILi V(^ \ {^i}) ^ Vj Am ^^^i,j,m} follows from 
arguments similar to those for the (C) part in the case that k is odd. We conclude that 
K,xk \= il'k K,Xk \= ip'k for all < /c < 2n. Hence, CTL+3-MC({A, E, G}) is A^-hard. 

For T = {A, E, F} similar modifications show that CTLpQg-MC(T) is Ag-hard, too. This 
concludes to proof of Theorem 14. 3[ □ 

Finally consider ECTL"*", the combination of ECTL and CTL^. One can adapt the 

oo oo 

above hardness and membership proofs to hold for F and G instead of F and G: For example, 

oo 

to establish the Ag-hardness of ECTL+Qg-MC(T) in case T = {A, E, G} we modify K such 
that the states labelled Xn and x„ are reachable from Zp and fp and assert that (a) the 
path quantified by the outmost path quantifier in ^fc, 1 < i < 2n, additionally satisfies 

^ oo oo 

/\j^^(G-iXj V G-iXj) and (b) whenever Xi is labelled, then there exists a path that all but a 

oo oo 

finite number of times satisfies Xj. The changes if F is available instead of G follow by the 
duality principle of these operators. For its model checking problem we hence obtain: 

Corollary 4.4. Let T be a set of temporal operators containing at least one path quantifier 

oc oo 

and let T' by obtained from T by substituting F with F and G with G. Then ECTL^-MC(T) =cd 
CTL+-MC(r') and ECTL+,3-MC(r) =cd CTL+,3-MC(T). 



5. Conclusion 

We have shown (Theorem 13. 2p that model checking for CTLpos(r) is already P-complete 
for most fragments of CTL. Only for some weak fragments, model checking becomes easier: 
if T C {EX, EF} or T C {AX, AG}, then CTLpos-MC(r) is LOGCFL-complete. In the case 
that no CTL-operators are used, NC^-completeness of evaluating propositional formulae 
applies. As a direct consequence (Theorem 13. ip . model checking for CTL(T) is P-complete 
for every nonempty T. This shows that for the majority of interesting fragments, model 
checking CTL(r) is inherently sequential and cannot be sped up using parallelism. 

While all the results above can be transferred to ECTL (Theorem STJ , CTL+ and 
ECTL"^ exhibit different properties. For both logics, the general model checking problem 
was shown to be complete for Ag in [LMSOlj . Here we proved that model checking fragments 
of CTL^(T) and ECTL^(T) for T C {A, E,X} remains tractable, while the existential and 
the universal fragments of CTLp^g (T) and ECTLp^g (T) containing temporal operators other 
than X are complete for NP and coNP, respectively. 

Instead of restricting only the use of negation as done in this paper, one might go one 
step further and restrict the allowed Boolean connectives in an arbitrary way. One might, 
e.g., allow the exclusive-OR as the only propositional connective. This has been done for 
the case of linear temporal logic LTL in [BMS^09 ]. where the complexity of LTL-MC(T, B) 
for an arbitrary set T of temporal operators and B of propositional connectives was studied. 
For example, restricting the Boolean connectives to only one of the functions AND or OR 
leads to many NL-complete fragments in the presence of certain sets of temporal operators. 
However a full classification is still open. 

Considering the CTL variants considered in this paper, plus CTL*, over arbitrary sets 
of Boolean operators would be one way to generalise our results. In the case of CTL"*" and 
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AX, AG 
C' = AF,AU,AR, EG,EU,ER 

Figure 4: Complexity of CTLpos-MC(T) for all sets T of CTL-operators (depicted as a 
"finite automaton" where states indicate completeness results and arrows indicate 
an increase of the set of CTL-operators) . 

CTL*, where model checking is intractable |EL87t [S^ch031 ILMSOlj . such a more fine-grained 
complexity analysis could help draw a tighter border between fragments with tractable 
and intractable model checking problems. As for the corresponding satisfiability problems 
CTL-SAT(r, B) and CTL*-SAT(T, B), their complexity has been determined — with respect 
to the set of Boolean operators, completely — in |MMTV09] . 

Throughout this paper, we have assumed that the formula and the Kripke structure 
are part of the input and can vary in size. The case where the complexity is measured 
in terms of the size of the formula (or the Kripke structure), and the other component is 
assumed to be fixed, is usually referred to as specification complexity (or system complexity). 
Our approach measures the joint complexity. In applications, where usually the structure 
is significantly bigger than the specification, an analysis of the system complexity becomes 
interesting. For system complexity, model checking for CTL and CTL* is already NL- 
complete |BVW94| IKVWOO] . Still, the hope for a significant drop of system complexity 
justifies a systematic analysis of fragments of these logics. 
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